Potential GDPR Breach by the Irish Government Department Investigated

The Irish Data Protection Commission (DPC) is under investigation for potential General Data Protection Regulation (GDPR) breaches in connection with a data protection officer of the body being stopped from successfully completing GDPR-related tasks.

Article 80 of GDPR says that it is allowable for an individual to nominate a not-for-profit organization working in the public interest to submit a complaint to a national regulator where he or she claims infringements of their legal rights under the EU regulation. Additionally, GDPR allows not-for-profit organizations to look for “an effective judicial remedy” regarding such complaints, when they feel their legal rights have been violated.

Digital Rights Ireland, a data privacy advocacy group, together with Irish Times columnist and technology journalist Karlin Lillington, submitted the complaint based on Article 80. The group sent in the complaint after discovering the Department of Employment Affairs and Social Protection secretary general directed changes to the department’s online privacy policy and removed a reference to the gathering of people’s biometric information. This action was undertaken after the Department of Social Protection repeatedly denied that it used biometric information in connection with the public services card, even if it retains more than three million photos of Public Services card holders in its databases.

While the data protection officer was on annual leave last August, the changes were made. A Freedom of Information request to obtain the records revealed the changes. But the data protection officer said he wouldn’t have approved the amendments and that he had no prior awareness about them. Under GDPR, the data protection officer should be independent and his employer-organization is not allowed to give any directives concerning his duties.

The Data Protection Commission’s senior investigator replied to the complaint on November 23rd confirming potential breaches of GDPR requirements have been noted and the commission is inquiring about this matter and will give an update soon, in spite of claims that the Department of Social Protection is not aware of the ongoing investigation regarding the incident involved.

Generally, the penalty that a company or organization can face for violating GDPR legislation is 4% of yearly global income or €20 million, whichever amount is greater. However, the Irish Government has enacted privacy legislation restricting any possible penalties to €1 million.